Equiom: A guide to staying cyber resilient while working from home

Date 18/05/2020

4 minutes to read

Welcome to our fourth article in the Equiom Guides series, this time looking at how to stay safe online while working from home. Here, Stuart Mundy, a Senior Information Security Engineer offers up his key advice.

Ensuring you do everything you can to protect yourself online is no longer an optional consideration. The vast majority of white collar workers have moved their office space to their homes and while you would expect most businesses to have some form of cyber protection in place, there is also a significant onus on you to ensure you remain safe online. The below guidance is a reminder of the simple things you can do to massively improve your own security and the security of your company’s systems.

Passwords

Ensure you use unique and strong passwords for each online service you use. I highly recommend using 3 or 4 random words separated by special characters or numbers (minimum length should still be 15) – use words that are easy for you to remember but hard for anyone else to guess. Here are some examples:

Horse-Escaped-Barn-3

HarryPotter@TheGobletOfFire2005

When I was young; I went on a school trip to Alton Towers

The third example shows that you can use something that you’d remember very easily but a machine would take years to crack and demonstrates that passwords don’t have to be structured in the ways you’ve been traditionally taught. Although, you could use a password manager that generates passwords and it will do the hard work for you.

Two Factor Authentication (2FA)

Enable 2FA on all online accounts that support it. 2FA is a free feature offered by the vast majority of the online services we use day to day. I cannot stress how important this is as a preventative measure; it’s the ONLY thing that will save you if your password is ever breached / leaked online.

Ensure personal devices are up to date

If you are using a personal device to access company systems then you must ensure your devices are up to date at all times. Security flaws that can be exploited exist because mistakes in the coding allow for systems to be manipulated in ways they were never intended to allow. Software updates patch these coding flaws on a regular basis and it’s very important that updates are applied whenever they become available. Updates will apply to any device that runs software; check yours today and apply any that are outstanding.

Tips for video conferencing

Many of the ‘free’ video conferencing systems record your activity and may share your data. Read the terms and conditions before using a third party video conferencing system you’re not already familiar with. If you need to communicate via video for work purposes, use the software approved by your company.
It seems obvious, but if someone joins a call and does not have a webcam enabled – make sure you can confirm they are who they say they are.

Phishing

This is the attack that is responsible for a vast majority of the breaches we see worldwide. Criminals are taking advantage of the current situation by setting up fake Covid websites, publishing fake Covid tracking apps and sending emails and texts purporting to be from the UK/US Governments offering payments of cash.
While service providers and security teams do all that can be done to minimise the threat, the best defence is care and attention when handling emails, clicking links and installing applications. NEVER open a link in an email unless certain conditions are met:

Was the email expected? NO? Don’t click any links

Do you know the sender? NO? Don’t click any links

Is the email saying you have to reset a password? YES? Don’t click any links

Is the email trying to get you to take action urgently? YES? Don’t click any links

If you do receive an email from a known contact asking you to do any of the above – also treat this as highly suspicious; your contact’s email account could have been hijacked and criminals may now be relying on the fact you’ll recognise the sender and click a link. Contact your IT department or contact the sender separately to confirm.

Treat everything as suspicious until confirmed otherwise. These are challenging times and we need to remain vigilant to possible threats at all times.